SharePoint 2013 and forms based authentication configuration for Open LDAP

I was recently tasked with helping a customer configure their SharePoint 2013 farm to uses forms based authentication against a standard non-MS LDAP directory. This directory was configured to require an authenticated user to make the query. No anonymous queries allowed! The following article explains nicely how to configure the base scenario, where you don’t need to worry about passing user credentials.

We spent entirely too much time working with the parameters to figure out how to pass log in information. After much research, and a look at the source code, I realized what’s needed. In the following web.config sample, you’ll see we’ve added 3 items that tell the provider to pass the connection info. The first two items are fairly self explanatory. You’ll need to provide a username and password. Make sure the username format matches what your LDAP is expecting. The important entry to make this all work is the 3rd highlighted item, useDNAttribute. This tells the provider to pass the web.config credentials to do the LDAP query. Make sure you add these entries for both your membership and role providers. (I have seen a lot of places list useUserDNAttribute in web.configs. As far as I can tell, it does nothing)

These were some of the entries we were seeing in the ULS logs. We could see that users weren’t getting authenticated, despite passing good username/password combinations. At times we saw success messages after this, but these lines told us they were false positives.

The following is a PowerShell script you can leverage to test your configuration, without having to update web.configs 100 times. My colleague, Joe Rodgers, created it. I’ve attached a zipped copy to this post.

### SHOULD NOT HAVE TO MODIFY ANYTHING BELOW THIS POINT ### Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue [void][System.Reflection.Assembly]::LoadWithPartialName("Microsoft.Office.Server.UserProfiles")